<!DOCTYPE html>
{% autoescape true %}
<html>
    <head>
        <meta http-equiv="Content-Security-Policy" content="script-src 'self' ajax.googleapis.com">
        <title>Using CSP</title>
        <link href='/css/base.css' rel='stylesheet' type='text/css'></link>
        <script>
            console.log('this cannot be executed');
        </script>
    </head>

    <body>
        <h1>Using CSP</h1>
        
        <div>One of the defense against XSS is usign Content-Security-Policy</div>
        <ul>
            <li>View the source of this page</li>
            <li>You will notice the CSP meta <br>
                <b>&lt;meta http-equiv="Content-Security-Policy" content="script-src 'self' ajax.googleapis.com"&gt;</b></li>
            <li>Check the console and you will notice that the inline script are blocked.</li>
            
        </ul>       
        <a href="/">Home</a>
    </body>
</html>

{% endautoescape %}